sawrus/areas/software/security/skills/sast-dast-interpretation
areas/software/security/skills/sast-dast-interpretation/SKILL.md
# Skill: SAST/DAST Results Interpretation ## When to load When reviewing security scan results, triaging vulnerabilities, or deciding which findings to fix vs. accept. ## SAST Triage Matrix | Severity | CVSS | Action | Timeline | |:---|:---|:---|:---| | Critical | 9.0–10.0 | Block merge, fix immediately | Same day | | High | 7.0–8.9 | Block deploy | 72 hours | | Medium | 4.0–6.9 | Track as tech debt | 2 weeks | | Low | 0.1–3.9 | Backlog | Next quarter | ## Common False Positives ``` False
$ install --global
skillsauthnpx skillsauth add sawrus/agent-guides areas/software/security/skills/sast-dast-interpretationInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 18, 2026, 4:33 AM24.4s1 file scanned
SKILL.md
Skill: SAST/DAST Results Interpretation
When to load
When reviewing security scan results, triaging vulnerabilities, or deciding which findings to fix vs. accept.
SAST Triage Matrix
| Severity | CVSS | Action | Timeline | |:---|:---|:---|:---| | Critical | 9.0–10.0 | Block merge, fix immediately | Same day | | High | 7.0–8.9 | Block deploy | 72 hours | | Medium | 4.0–6.9 | Track as tech debt | 2 weeks | | Low | 0.1–3.9 | Backlog | Next quarter |
Common False Positives
False positive: "SQL Injection" on ORM query
→ Verify ORM parameterizes internally → add suppression comment:
// snyk:ignore:sql-injection -- parameterized ORM query
False positive: "Hardcoded credential" on config key name
→ Verify value comes from env var → suppress with justification
OWASP ZAP Priority Findings
- Missing security headers (CSP, X-Frame-Options) → always exploitable, easy fix
- Information disclosure in error responses → check stack traces
- CSRF → verify token on all state-changing requests
- Clickjacking → add
frame-ancestorsCSP directive - Insecure cookies → verify Secure, HttpOnly, SameSite=Strict/Lax
Related Skills
sawrus/qa_expert
testing
VerifiedTrustedCommunity
QA Expert for writing E2E tests, test scenarios, test plans, and ensuring test coverage quality.
12SKILL.mdUpdated Apr 18, 2026
sawrus/design_expert
development
VerifiedTrustedCommunity
Expert UI/UX design intelligence for creating distinctive, high-craft, and mobile-first interfaces. Focuses on premium aesthetics, touch-first ergonomics, and Flutter performance.
12SKILL.mdUpdated Apr 18, 2026
sawrus/code_review_expert
development
VerifiedTrustedCommunity
Code Review Expert for static analysis, security auditing, architecture review, and ensuring code quality standards.
12SKILL.mdUpdated Apr 18, 2026
sawrus/babysit-pr
development
VerifiedTrustedCommunity
Babysit a GitHub pull request after creation by continuously polling review comments, CI checks/workflow runs, and mergeability state until the PR is merged/closed or user help is required. Diagnose failures, retry likely flaky failures up to 3 times, auto-fix/push branch-related issues when appropriate, and keep watching open PRs so fresh review feedback is surfaced promptly. Use when the user asks Codex to monitor a PR, watch CI, handle review comments, or keep an eye on failures and feedback on an open PR.
12SKILL.mdUpdated Apr 18, 2026